1. Remember your role – internal audit’s mission is to provide an independent, objective assurance and consulting activity designed to add value and improve the organisation's operations. It is ultimately here to support the organisation’s success and delivery of its strategy, including sustainability. This provides you with clear purpose to your thinking. Remember a significant number of internal auditors are employees of their organisation and so we have a particular interest in making sure the organisation overcomes the current difficulties, survives and flourishes – so we need to be adaptable to meet the new demands which will be placed on us, but not lose sight of the value we can add in our unique role.
2. Take the Audit Committee Chair with you – They are one of your key stakeholders and allies, and with a strong and collaborative relationship internal audit will continue to add considerable value even in challenging times. Check that your audit committee is supportive of internal audit’s actions in response to COVID-19 (e.g. suspending the IA plan, offering auditors to support business functions where necessary, focussing on new and emerging risks in terms of assurance).
3. Prioritise – What is truly important just now (e.g. the Head of Internal Audit Annual Opinion, completion of the 2019/2020 IA plan, providing assurance to the audit committee and management around new and emerging risks)? Consider key risks to the organisation now and how these are changing. Is the organisation clear what they are, do key controls mitigate risks?
4. Keep your head up – Perhaps the greatest danger in a crisis is not seeing what may be coming over the horizon. This is frequently the case for management as well: internal audit can provide the prompt for them to raise their own eyes, look forward rather than just focussing on the today and tomorrow, when required.
5. Be agile – Many tried and tested processes and approaches simply do not work so well in a crisis. What is the simplest and quickest route to your objective?
6. Be a trusted adviser – An independent mind without operational responsibility but with the ability to think holistically can be even more valuable at times of crisis when management has their heads down problem solving. Pay particular attention to key risk decisions. Disciplines around risk decisions and risk appetite can weaken considerably in a crisis, and what may seem like good tactical decisions can inadvertently create greater risk than they are attempting to manage.
7. Communicate – News needs to travel very quickly in a crisis, and it still needs to be accurate, complete, constructive and relevant. Findings therefore need to be escalated quickly, with practicable recommendations for to resolve any issues. This will also help demonstrate internal audit’s relevance and the impact we are having.
8. Keep a diary – In these exceptional times management is devoting all of its resources in reacting and managing the situation. Internal audit has the opportunity to overview proceedings and take note of the good and the bad as the crisis evolves. There is nothing as powerful as independent insight from a crisis and internal audit can readily provide that and with the independence required. Do the same for your own function. You will learn much for the future from the crisis, don’t forget to record and reflect on lessons learnt within your organisation, your market sector and/or your geographical location.
9. Lead others – Share your thoughts and approach with the internal audit team. Be open and look for feedback. You have a role as a manager leading, inspiring and motivating your team at a time when each of them may have personally difficult circumstances to face inside and outside work. This is a time where a well-led team will deliver above and beyond expectations. Plan for a reduction in the internal audit team, the plan/work will evolve and change almost daily.
10. Use the IPPF as a reference point – There is much within the IPPF which can and indeed does apply just as well in a crisis. Use it and it will help you define your route map through the crisis.
1. What internal audit teams are doing about the audit plan?
1.1 Continuing with audit plan in some format
Internal audit can act as a steady ship, important to stay on track, however, be agile where possible.
My team are now all working remotely from home as are most of the organisation - auditing remotely is working so far but we recognise this will be challenging for some review - it very much relies on the engagement of the business and robust technology.
We are critically assessing the plan regarding management availability, each audit project is assessed client availability, data availability and remote auditing potential. We then will report to the audit committee.
It would be remiss to continue with the plan as if nothing is happening.
A paper for the audit and risk committee confirming that we will be able to deliver 70% of our plan and confirming which risks we will only be able to provide limited assurance on. We've stopped any audits that are impacting 1st and 2nd line recognising our IA team may be redeployed.
We are, if anything focusing more on delivery, taking into account the situation.
We're reviewing our audit plan for suitability and continuing wherever possible remotely to provide an aspect of business as usual. As a team we've been providing more support on business continuity planning activities, HIA time has been much more focused on the current risks being faced.
We are delivering the plan for now, as best we can, but fully expect to pause and be deployed onto other tasks very soon depending on the background and experience(s) of team members for example finance and business continuity.
The audit plan goes ahead with some cancellations which involved travelling. Slow in delivery of audits is expected due to remote working. The audit committee is totally supportive and approving changes as soon as they are raised. No specific requests so far to redeploy our resources to help other areas.
Not sure how audit plans can just continue - what I would hope we can do is reshape plans in an agile way to provide assurance which fits the 'new world' arrangements and the risks organisations face now. I'm thinking of controls over employees working at home, monitoring performance, risk management, checking controls on fraud, phishing and cyber for example.
We have revised our plan to provide assurance over those areas impacted by COVID, and changes being made to operations to support ongoing continuity - this is important as we are in a sector regarded as critical services.
Right now, we're doing COVID risk assessments to support the organisation and will be doing some COVID related testing but yes - we're largely following our existing audit plan but with amendments; some audits are being rescheduled (especially international). The picture is mixed though across the sector, I know some internal audit teams have been furloughed.
We provide a fully outsourced internal audit function and are continuing with client audit plans but doing these remotely via secure document exchange and use of Skye/MS Teams to do interviews. We are somewhat reliant on clients being able to work remotely and provide information however so far it’s working ok.
Financial Conduct Authority has stated that they expect internal audit (and other control functions) to continue to deliver on their mandate. At the same time there is an explicit requirement to focus on operational resilience, thus creating an inherent tension.
Conclude 19/20 plan asap to get a HIA audit opinion out within a week or two. We will drop jobs, re scope others and take a view as to what’s enough to give a view.
1.2 Audit plans on hold
My audit plans are on hold. For one of my organisations, I have been asked to undertake an immediate review of the new risk profile and facilitate a new risk register.
The current plan is expected to be put on hold for at least 60 days, potentially 90. We are in the process of pulling together a new plan based on the Tier 1 and Tier 2 business processes and what assurance is needed over them and what we can provide.
Suspend/cancel all 20/21 Q1 activity.
We have agreed with the audit committee to pause and postpone our quarter two activity, clear our work in progress so that we are ready to support in the right way when we 'bounce back'.
Resume the 20/21 plan in July with a 9-month version of the original plan that will focus on core audits to deliver the HIA opinion in March 21. This will be subject to the state of the service at the end of Q1.
The internal audit team are likely to redeploy in the next 7-10 days, I will remain in role as CAE and am remote from the team in any case. I am acting as a key adviser to my boss, the CEO. We are having daily teleconference meetings, covering a range of pressing matters with other members of the senior management team. I feed in thoughts and concerns from a governance, risk, control and counter-fraud perspective as necessary.
Deploy the team (circa 75 folks) into acute trusts to do whatever is needed to support front line health care – seniority/grade vs. job to be done will be irrelevant i.e. HIA may be peeling spuds or pushing wheelchairs.
1.3 What is happening regarding internal audit follow-up?
In reality, even if we raise fresh issues, they may drop to the bottom of management’s list.
We are putting a three month stop on follow-up by extending all completion dates by a blanket three-month period but are encouraging management to work towards closure where possible.
We are following up but being more open to due date changes due to management pressures. Also having more of a focus on the most important issues.
Prioritised on open issues that are crisis relevant and pushing out dates for others.
We are expecting more overdue (ok with this) and probably cutting back on most follow-up work on lower priority findings.
For action follow up we're planning to see what evidence comes in on existing evidence due dates, but then anywhere evidence is outstanding we will only chase up those that are high priority.
We are doing remote follow up, but only with managers who are working on non-critical activity at home. We certainly wouldn't want to impact the frontline with this right now.
If redeployed - how do, we continue to ensure ongoing internal audit independence?
Need to recognise the impact on independence in the real world, perhaps the issue is more about objectivity moving forward.
For all meetings next week and over the last couple of weeks given the option for their time with us to be pushed back a few weeks to give breathing space.
I am seeing organisations push back external audits and reporting lines to help with managing year end.
Also needing to make changes to our 20/21 plan - one key audit will be Covid-19 lessons learned.
It is Important to reach out to key business leaders and offer other parts of the business assistance, firms may be diverting important business operations to another location or modifying supply chain, this brings a range of new risks.
I am mindful of internal and external shortcuts resulting in increased potential for fraud, cyber such as phishing/hacking e.g. phone calls/emails/invoices.
We need to think more about fraud opportunities eg theatre ticket refunds potentially million of GBP so where are the controls, are they workable are they effective.
We need to consider the impact of working from home where we are taking additional risk, where controls have changed and where new processes are being put in place.
These are extraordinary times and a time when, in my sector, we really are looking a scenario where we are literally making life and death decisions. It puts priorities into stark contrast.
Despite the mass of regulation we have in the UK & Europe to safeguard the public (food, goods, services etc) and our general way of life, the lack of basic regulation in a place most of us have never heard of, has brough the world to its knees, bypassing all the “controls” we have in place.
Question is – are we wasting our time – unless standards and regulations are global and complied with. Now that’s an exam question.
4. Audit committees
Chairs are very supportive, it’s all about communicating, internal audit must engage, communicate and remain very visible.
In regular contact with committee chair, agreed audit plan needs to flex, keeping a line or sight for the audit committee on decisions being made by senior executives and the implications for risk.
I think the main thing is keeping in regular touch with the audit committee chair and sharing thought processes. Support is definitely there from the audit committee and the wider board on sensible decisions.
I am in regular contact with the audit committee chair to keep them updated on changes we are making. The audit committee are supportive and keen to ensure that internal audit provides assurance over key areas during such a period of change.
As an audit committee chair as well, I am in fairly regular contact with the CAE. I appreciate that the team are also being redeployed piecemeal to support the organisation. I am supportive of this as the frontline staff are increasingly away/sick and need help to meet public needs.
I’m particularly interested to hear views about what the audit committee chair will expect in this situation. As a committee chair, I’m very conscious of the problems facing both the internal auditors, but also - more so - the organisation as a whole. I don’t expect to follow the planned agenda for our next committee meeting but do want to understand what the organisation is doing to respond to the risks it faces right now. However, there are some things that the committee needs to do and see as part of our normal business.
How are organisations striking the balance between necessary normal business and our emergency responses?
5. General feedback on the session
I just wanted to say a huge thank you for joining us on Zoom for Wednesday’s (25th March) afternoon's forum!
The feedback and suggestions we received from you in the online chat and afterwards were all very helpful and positive, and we are already taking them onboard in shaping next week's forum.
I'm sure it helped us all as heads of audit to know that others are wrestling with similar challenges to ours and to be able to share some ways forward - helping us maximise the contribution we can make to our organisations in what is for everybody a difficult period, but one in which internal audit has an absolutely vital role to play.
Above all, there was a feeling from participants that the forum could usefully be a little longer: so, we are planning for a 45-minute session next Wednesday and will see how that goes. I don't get the feeling that we would run out of things to talk about in an even longer session, but equally I am very aware of all the other demands on your time and so we want to make the sessions as productive as possible. We also realise that it might not be possible for each of you to join for every session, so we will be making the notes available as quickly as possible and will be reaching out to you in many other different ways too.
Liz and Derek promised to share more materials as they become available, and these will be put onto the Chartered Institute's "COVID-19 hub” webpage. We are also keeping close to our fellow institutes in other countries and will put up links to their information too where this is helpful. I mentioned in particular the American IIA survey, now available on the COVID-19 Hub. That way we can all benefit from the best thinking being done around the worldwide internal audit community, as well as contributing to it ourselves with the outputs from events like our Forum.
I am most grateful for the work that everyone at the Institute is doing, and I sure I speak for all of us in saying a big thank you to them too.
We will look forward to seeing you again on Zoom next week if you are able to join us, as we continue to explore the implications and issues for all of us. And we will stay in touch with you through other routes too. Please do not hesitate to let Liz (firstname.lastname@example.org), Derek (email@example.com) or me know how the Institute can best support you especially at this time - as well as sharing ways in which we can all help each other.
With warmest regards
President, Chartered Institute of Internal Auditors